The widely-used WPA2 Wi-Fi security protocol features various ‘protocol-level’ security issues that render almost all Wi-Fi devices vulnerable to hacks.
The US-CERT has warned of several key management vulnerabilities in WPA2 security protocol that may affect all Wi-Fi devices.
Later today, a security research team working on uncovering loopholes in WPA2, the latest Wi-Fi security protocol, will be revealing their findings. However, as per available indications, the researchers will be revealing some alarming facts about how vulnerable the latest security protocol is.
WPA2 was first released by the Wi-Fi Alliance back in 2004 and has been constantly updated with key security features ever since. Some key security features in WPA2 include message integrity check which prevents attackers from altering or resending data packets and it is considered much stronger compared to the cyclic redundancy check (CRC) in WEP. As such, WPA2 certification is mandatory for all Wi-Fi devices sold across the world.
However, US-CERT, the United States Computer Emergency Readiness Team, released an advisory during the weekend in which it summarised what the research team will reveal in detail this evening.
‘US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol. The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.
‘Note that as protocol-level issues, most or all correct implementations of the standard will be affected. The CERT/CC and the reporting researcher KU Leuven, will be publicly disclosing these vulnerabilities on 16 October 2017,’ the team said.
In short, almost all Wi-Fi devices featuring the WPA2 security protocol are vulnerable to key flaws in its 4-way handshake process. According to a security researcher who spoke to Ars Technica, hackers can compromise encryption around Wi-Fi traffic by establishing a key for encrypting such traffic in certain ways.
The site adds that even though the likes of Aruba and Ubiquity have updates available to mitigate these vulnerabilities, a large number of WI-Fi devices may not be patched in time or at all by their makers. Probably the most vulnerable would be devices built by small firms who may not have quick and efficient ways to patch devices that have already been sold to buyers.
No matter how strong the passwords of Wi-Fi devices at your home or workplace are, if your devices are not updated with new patches, hackers will be able to compromise protocol-level security flaws to eavesdrop on your Wi-Fi traffic at all times.
‘WPA2 is currently the recommended option for securing your WI-FI network; the flaw, if successful, and if you’re not using any other advance features ( VPN, encrypted data etc) could enable a hacker to eavesdrop on your data and or possibly gain access to any unsecured shares available on the same network,’ says Mark James, Security Specialist at ESET.
‘One of the biggest concerns here of course is getting routers patched- firstly getting the average user to check and apply any firmware updates and secondly, some older routers may not even have a patch available- the average household would acquire an auto-configured router, install it and forget about it, until possibly they change their internet provider. Here, they may go through the same procedure; too many people never check or implement router updates as it’s something often too complicated for the home user to be involved in,’ he adds.
Research paper reveals glaring holes in WPA2 Wi-Fi protocol security
So the official research paper on WPA2 Wi-Fi vulnerability is finally out. Like US-CERT warned ahead of its release, the research paper, authored by researchers Mathy Vanhoef and Frank Piessens, describes in detail how hackers can interfere with cryptographic Wi-Fi handshakes and manipulate them to steal credit card details, messages and passwords from users.
WPA2 Wi-Fi routers use 4-way handshakes to generate session keys and transmit data packets to devices receiving their signals. According to the researchers, a hacker can trick a victim into reinstalling an already-in-use key by manipulating and replaying handshake messages.
Once this is done, the hacker can hijack TCP streams and inject malicious data into them. At the same time, the hacker can also steal confidential data sent and received by users using Wi-Fi signals.
‘We confirmed our findings in practice, and found that every Wi-Fi device is vulnerable to some variant of our attacks. Notably, our attack is exceptionally devastating against Android 6.0: it forces the client into using a predictable all-zero encryption key,’ they said.
The revelations confirm that hackers can not only affect Wi-Fi devices, but also devices that are connected to Wi-Fi signals. Considering that Wi-Fi devices are in use in almost every home, every enterprise, every shop and restaurant, it is difficult to calculate how much sensitive data belonging to people and enterprises are vulnerable to exploits.
‘“I am quite surprised that the encryption keys are reset and reused if the third message of the four-way handshake is replayed by an attacker. This huge as this affects the majority of wireless devices. The damage to android is particularly devastating since using “wpa_supplicant” forces the clients into using an “all zero encrypting key” instead of the real encryption key,’ says Tyler Moffitt, Senior Threat Research Analyst at Webroot.
‘This currently affects 41% of all Android devices. This is a very large vulnerability and all wireless devices will be receiving patches soon and it’s imperative that everyone does it,’ he adds.
Following the publication of the research paper, Microsoft announced that it has already patched the vulnerabilities by releasing a security update for Windows 7, 8 and 10 devices last week. According to Apple, security updates to patch the recent vulnerabilities are currently being tested and will be rolled out in the coming weeks.
Even though Google will release a security patch on November 6, the same will fix the flaws in all Nexus and Pixel devices as well as some BlackBerry devices that enjoy zero-day update guarantees. It is, however, unclear when Android OEMs like Huawei, Samsung, LG, and HTC will pass on the updates to their respective devices.